U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

White Paper (Draft)

[Project Description] TLS Server Certificate Management

Date Published: October 2017
Comments Due: October 25, 2017 (public comment period is CLOSED)
Email Questions to: tls-cert-mgmt-nccoe@nist.gov


William Haag (NIST), W. Polk (NIST), Murugiah Souppaya (NIST), William Barker (Dakota Consulting), Paul Turner (Venafi), Russ Housley (Vigil Security)


This project provides guidance on the governance and management of Transport Layer Security (TLS) server certificates in enterprise environments to reduce outages, improve security, and enable disaster recovery related to certificates. The project will be result in a freely available NIST Cybersecurity Practice Guide, documenting an example solution that demonstrates how to perform the following actions:

  • develop a set of policy attributes;
  • establish and maintain an inventory of TLS certificates;
  • assign and track certificate owners;
  • identify issues and vulnerabilities of the TLS infrastructure;
  • automate enrollment and installation;
  • report the status of the TLS certificates; and
  • continuously monitor TLS certificates in the typical enterprise environment.



transport layer security (TLS); certificate management; private-key security; certification authority (CA); CA compromise; automatic certificate management environment (ACME); secure sockets layer (SSL); public key infrastructure (PKI)
Control Families

None selected


Draft Project Description

Supplemental Material:
Submit Comments (other)
Project Homepage (other)

Document History:
10/12/17: White Paper (Draft)
11/09/17: White Paper (Final)